A NASA laptop stolen last year had not been encrypted, despite containing codes used to control and command the International Space Station, the agency's inspector general told a US House committee.
NASA IG Paul Martin said in written testimony (PDF) to the House Committee on Science, Space and Technology that a laptop was …

Because...

...no matter how well you guard access, once SOMEONE has access to it, they may think they'll forget it later on when they'll need it again. And since high-security computers are likely to be air-gapped, no remote connection is possible, so they'll copy the data (even if they have to do it MANUALLY or BY ROTE--kinda hard to safeguard against biological memory). Obfuscating the codes so no one sees them won't work if the person involved is the one who actually has to handle the codes, and then we get back to where we started.

To turn an old phrase for a new purpose, ask yourself, "How do you safeguard a secret code against the code writer?"

Re: Because...

Apply the Vetinari Solution, vis: take your incredibly smart person, find out their favourite hobby and lock them in a light, airy room with unlimited supplies, then ask them to make the codes in their spare time.

While its not a panacea...

Re: While its not a panacea...

It may have been an older laptop that didn't have support, and NASA's budget is among the ones being tightened, so they may fire back, "How are we supposed to replace them for more secure ones without the money to requisition them?"

Re: Re: Re: While its not a panacea...

Someone else brought up TC a few days ago and I meant to comment on it then. Truecrypt is a great solution floss and all that. But it doesn't have the ability to deal with forgetting your password or when someone dies; there's no recourse. For us to remember that's manageable if the data is gone. What happens when that data is something like black budget NRO work and now nobody can access it? So there needs to be a way to deal with password resets.

Personally I think it's a security flaw, but people (including me) forget passwords all the time. They shouldn't forget this one, because they should have to enter it every day but users are what they are.

Re: While its not a panacea...

1) That assumes that they can get the appropriate signoffs from involved groups. Like most big government departments, from what I understand NASA is fragmented into little fiefdoms and getting them all to agree to come to work at the same time, let alone implement standard policies about security, is like saying that Labour and the Tories should have all their polices in common

2) Various bits of NASA IT are outsourced AFAIK (e.g. http://www.odin.nasa.gov/ ), so unless drive encryption was in the original contract for services it'd be an addendum which would come with additional cost, even for free solutions like TrueCrypt. Again, getting sign off from involved parties would be difficult

3) from what I understand ODIN is a fixed cost contract so the contractor gets more $$$ by hiring people for cheap, which again makes it difficult to implement stuff like full disk encryption.

Re: Feet and meters, bits and bytes...

Well... Really they're aerospace engineers, not rocket scientists.

Also, it was a programmer that made that boner, and they are typically kept tucked away from the actual hardware. I'm not sure, but I'd hope that anyone that works on an international project like that is forced to sleep with a meter stick, now.

Who cares?

NASA Hardware

I work for a company that recycles "retired" NASA computers and other bits and bobs. One of the recent systems that I had to process was an Osborne 1. With a sticker on it denoting that it had a role in the ISS. Yes, and Osborne 1. I'll guarantee you that Truecrypt doesn't work on that.

Also, many of the systems I see from them are unique or 'one-offs' that again cannot run Truecrypt or any currently available software...

Re: NASA Hardware

Adding to the problem

of lost civil servant laptops.

Perhaps it is the only way to get an up to date laptop or perhaps when it starts to behave randomly and each time you try to show how badly it behaves to the tech people it performs nicely like they tend to do. Perhaps the lost "solution" is then the only clever one.

Then again, perhaps, those who loose their computer should pay, personally, +20% for their new computer. Perhaps the number of lost stuff would decrease.

Or, perhaps, it is fine the way it is, or, perhaps, I am wrong altogether.

Love the fact that so much taxpayer money is going to this. So let me get this straight you have some of the smartest people around working for you, and basically everything you do depends on a computer at some point, so if everyone there is so damn smart why does no one think to buy encrypted hard drives hmm? Simply amazing.

Two things.

First, hard drives with built-in encryption are a bit new and have their quirks (for example, finding a 2.5" inch that fit a laptop was tricky because you couldn't use any ordinary 2.5" HD in it--you needed to cram a 1.6" drive and the encryption chips into a 2.5" form factor. That means compromises that may or may not be acceptable for the job in question.

Second, secure devices are expensive, and government budgets are getting tighter and tighter. Less spending and more security are clashing at this point.

Plus no solution on the market at the moment can completely alleviate the possibility of stealing the device "hot": while it is still running (kinda like sneaking in during those times when the front door is legitimately open).

Re: Two things.

I have to disagree with you. DELL laptops have encryption available for HD, any size, for many years now. Free. It is on the BIOS settings and it is a very strong encryption. So your first two statements are incorrect. Second, your third statement is absurd. Any network policy, even the most relaxed one, can have the option of asking for HD encryption password after a few minutes idle. I am assuming that to steal the device HOT someone will take at least 3 minutes to grab it and get out of the building. Physical access is part of IT security policies too.

There is no excuse for this FAIL. Whoever is responsible for IT administration at NASA, is very bad in what he/she does. VERY BAD.

Re: Two things.

You're talking BIOS encryption which as mentioned before may not have been available (depends on the laptop, and if it isn't, good luck getting money out of NASA's tightened budget for a new one). I was talking drive encryption (like a secure disk-on-module) can be transparent to the OS and therefore useable even on older laptops.

Second, give me about a minute with the laptop and I can have it thrashing for as long as needed (think something like a defrag program). Since it's automatic but keeps the HD moving, it never idles long enough to lock. As there are ways to keep the laptop from going to sleep once the lid's closed. And physical access can be difficult if something like a laptop has to be able to go OUTSIDE (which is usually why laptops are being used; otherwise, a physically-locked-down remote workstation would be preferable).

As for hiring someone better, who's got the budget for someone better?

The "smartest people" are too busy doing important stuff and don't have time to think about anything mundane - so, when the proles that provide the IT services start talking about security and encryption, they are told to shut up because none of them have PhDs in Astrophysics or Mathematics. When one of the smart people does something stupid, like losing a notebook containing a load of sensitive documents, the IT proles have to fight not to smirk during the various "WTF happened / who to blame" meetings that follow.

Re: Two things.

I am not talking about BIOS encryption. I am talking about HD encryption that can be select in the BIOS.....COMPLETELY DIFFERENT THING. All my laptops have it. It doesn't matter how hard you try to break through this encryption, you simply can't. Even the FBI cannot currently break that encryption.